Snyk - Open Source Security

Snyk test report

March 29th 2026, 12:42:59 am (UTC+00:00)

Scanned the following paths:
  • quay.io/argoproj/argocd:v3.2.8/argoproj/argocd/Dockerfile (deb)
  • quay.io/argoproj/argocd:v3.2.8/argoproj/argo-cd/v3//usr/local/bin/argocd (gomodules)
  • quay.io/argoproj/argocd:v3.2.8//usr/local/bin/kustomize (gomodules)
  • quay.io/argoproj/argocd:v3.2.8/helm/v3//usr/local/bin/helm (gomodules)
  • quay.io/argoproj/argocd:v3.2.8/git-lfs/git-lfs//usr/bin/git-lfs (gomodules)
13 known vulnerabilities
14 vulnerable dependency paths
2326 dependencies

Incorrect Authorization

critical severity
Exploit: Not Defined
  • Manifest file: quay.io/argoproj/argocd:v3.2.8/argoproj/argo-cd/v3 /usr/local/bin/argocd
  • Package Manager: golang
  • Vulnerable module: google.golang.org/grpc
  • Introduced through: github.com/argoproj/argo-cd/v3@* and google.golang.org/grpc@v1.75.1

Detailed paths

  • Introduced through: github.com/argoproj/argo-cd/v3@* google.golang.org/grpc@v1.75.1

Overview

Affected versions of this package are vulnerable to Incorrect Authorization in the processing of HTTP/2 :path pseudo-headers in handleStream(). An attacker can gain unauthorized access to restricted resources by sending requests with malformed :path headers that omit the leading slash. This is only exploitable if the server uses path-based authorization interceptors, has deny rules that use canonical paths with leading slashes, and has a fallback allow rule in its policy.

Workaround

This vulnerability can be mitigated by adding a validating interceptor that rejects requests with malformed paths, configuring infrastructure (such as reverse proxies) to enforce strict HTTP/2 compliance, or switching to a default-deny authorization policy.

Remediation

Upgrade google.golang.org/grpc to version 1.79.3 or higher.

References

More about this vulnerability

Untrusted Search Path

high severity
Exploit: Not Defined
  • Manifest file: quay.io/argoproj/argocd:v3.2.8/argoproj/argo-cd/v3 /usr/local/bin/argocd
  • Package Manager: golang
  • Vulnerable module: go.opentelemetry.io/otel/sdk/resource
  • Introduced through: github.com/argoproj/argo-cd/v3@* and go.opentelemetry.io/otel/sdk/resource@v1.38.0

Detailed paths

  • Introduced through: github.com/argoproj/argo-cd/v3@* go.opentelemetry.io/otel/sdk/resource@v1.38.0

Overview

Affected versions of this package are vulnerable to Untrusted Search Path in resource detection code which executes ioreg, when the PATH environment variable is modified to include a malicious executable. An attacker can execute arbitrary code within the context of the application by placing a malicious binary earlier in the search path.

Note: This vulnerability is only exploitable on MacOS/Darwin systems.

Remediation

Upgrade go.opentelemetry.io/otel/sdk/resource to version 1.40.0 or higher.

References

More about this vulnerability

Inefficient Algorithmic Complexity

medium severity
Exploit: Not Defined
  • Manifest file: quay.io/argoproj/argocd:v3.2.8/helm/v3 /usr/local/bin/helm
  • Package Manager: golang
  • Vulnerable module: golang.org/x/net/html
  • Introduced through: helm.sh/helm/v3@* and golang.org/x/net/html@v0.40.0

Detailed paths

  • Introduced through: helm.sh/helm/v3@* golang.org/x/net/html@v0.40.0

Overview

golang.org/x/net/html is a package that implements an HTML5-compliant tokenizer and parser.

Affected versions of this package are vulnerable to Inefficient Algorithmic Complexity via the html.Parse function due to quadratic parsing complexity when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.

Remediation

Upgrade golang.org/x/net/html to version 0.45.0 or higher.

References

More about this vulnerability

Infinite loop

medium severity
Exploit: Not Defined
  • Manifest file: quay.io/argoproj/argocd:v3.2.8/helm/v3 /usr/local/bin/helm
  • Package Manager: golang
  • Vulnerable module: golang.org/x/net/html
  • Introduced through: helm.sh/helm/v3@* and golang.org/x/net/html@v0.40.0

Detailed paths

  • Introduced through: helm.sh/helm/v3@* golang.org/x/net/html@v0.40.0

Overview

golang.org/x/net/html is a package that implements an HTML5-compliant tokenizer and parser.

Affected versions of this package are vulnerable to Infinite loop via the html.Parse function. An attacker can cause resource exhaustion and disrupt service availability by submitting specially crafted HTML input that triggers an infinite parsing loop.

Remediation

Upgrade golang.org/x/net/html to version 0.45.0 or higher.

References

More about this vulnerability

Improper Validation of Specified Type of Input

medium severity
Exploit: Not Defined
  • Manifest file: quay.io/argoproj/argocd:v3.2.8/argoproj/argo-cd/v3 /usr/local/bin/argocd
  • Package Manager: golang
  • Vulnerable module: github.com/vmihailenco/msgpack/v5
  • Introduced through: github.com/argoproj/argo-cd/v3@* and github.com/vmihailenco/msgpack/v5@v5.4.1

Detailed paths

  • Introduced through: github.com/argoproj/argo-cd/v3@* github.com/vmihailenco/msgpack/v5@v5.4.1

Overview

Affected versions of this package are vulnerable to Improper Validation of Specified Type of Input in the calls plugin when handling websocket messages containing malformed msgpack frames. An attacker can cause the server to consume excessive memory and crash by sending specially crafted websocket requests.

Remediation

There is no fixed version for github.com/vmihailenco/msgpack/v5.

References

More about this vulnerability

MPL-2.0 license

medium severity
  • Manifest file: quay.io/argoproj/argocd:v3.2.8/argoproj/argo-cd/v3 /usr/local/bin/argocd
  • Package Manager: golang
  • Module: github.com/r3labs/diff/v3
  • Introduced through: github.com/argoproj/argo-cd/v3@* and github.com/r3labs/diff/v3@v3.0.2

Detailed paths

  • Introduced through: github.com/argoproj/argo-cd/v3@* github.com/r3labs/diff/v3@v3.0.2

MPL-2.0 license

More about this vulnerability

MPL-2.0 license

medium severity
  • Manifest file: quay.io/argoproj/argocd:v3.2.8/argoproj/argo-cd/v3 /usr/local/bin/argocd
  • Package Manager: golang
  • Module: github.com/hashicorp/go-version
  • Introduced through: github.com/argoproj/argo-cd/v3@* and github.com/hashicorp/go-version@v1.7.0

Detailed paths

  • Introduced through: github.com/argoproj/argo-cd/v3@* github.com/hashicorp/go-version@v1.7.0

MPL-2.0 license

More about this vulnerability

MPL-2.0 license

medium severity
  • Manifest file: quay.io/argoproj/argocd:v3.2.8/argoproj/argo-cd/v3 /usr/local/bin/argocd
  • Package Manager: golang
  • Module: github.com/hashicorp/go-retryablehttp
  • Introduced through: github.com/argoproj/argo-cd/v3@* and github.com/hashicorp/go-retryablehttp@v0.7.8

Detailed paths

  • Introduced through: github.com/argoproj/argo-cd/v3@* github.com/hashicorp/go-retryablehttp@v0.7.8

MPL-2.0 license

More about this vulnerability

MPL-2.0 license

medium severity
  • Manifest file: quay.io/argoproj/argocd:v3.2.8/helm/v3 /usr/local/bin/helm
  • Package Manager: golang
  • Module: github.com/hashicorp/go-multierror
  • Introduced through: helm.sh/helm/v3@* and github.com/hashicorp/go-multierror@v1.1.1

Detailed paths

  • Introduced through: helm.sh/helm/v3@* github.com/hashicorp/go-multierror@v1.1.1

MPL-2.0 license

More about this vulnerability

MPL-2.0 license

medium severity
  • Manifest file: quay.io/argoproj/argocd:v3.2.8/argoproj/argo-cd/v3 /usr/local/bin/argocd
  • Package Manager: golang
  • Module: github.com/hashicorp/go-cleanhttp
  • Introduced through: github.com/argoproj/argo-cd/v3@* and github.com/hashicorp/go-cleanhttp@v0.5.2

Detailed paths

  • Introduced through: github.com/argoproj/argo-cd/v3@* github.com/hashicorp/go-cleanhttp@v0.5.2

MPL-2.0 license

More about this vulnerability

MPL-2.0 license

medium severity
  • Manifest file: quay.io/argoproj/argocd:v3.2.8/argoproj/argo-cd/v3 /usr/local/bin/argocd
  • Package Manager: golang
  • Module: github.com/gosimple/slug
  • Introduced through: github.com/argoproj/argo-cd/v3@* and github.com/gosimple/slug@v1.15.0

Detailed paths

  • Introduced through: github.com/argoproj/argo-cd/v3@* github.com/gosimple/slug@v1.15.0

MPL-2.0 license

More about this vulnerability

Improper Validation of Integrity Check Value

medium severity
Exploit: Not Defined
  • Manifest file: quay.io/argoproj/argocd:v3.2.8/argoproj/argo-cd/v3 /usr/local/bin/argocd
  • Package Manager: golang
  • Vulnerable module: github.com/go-git/go-git/v5/storage/filesystem
  • Introduced through: github.com/argoproj/argo-cd/v3@* and github.com/go-git/go-git/v5/storage/filesystem@v5.14.0

Detailed paths

  • Introduced through: github.com/argoproj/argo-cd/v3@* github.com/go-git/go-git/v5/storage/filesystem@v5.14.0

Overview

Affected versions of this package are vulnerable to Improper Validation of Integrity Check Value for .idx and .pack files. An attacker can cause the application to consume corrupted files, leading to unexpected errors, due to checksums not being checked in the loadIdxFile() function.

Workaround

This vulnerability can be mitigated by running 'git fsck' from the git CLI to check for data corruption on a given repository.

Remediation

Upgrade github.com/go-git/go-git/v5/storage/filesystem to version 5.16.5 or higher.

References

More about this vulnerability

Allocation of Resources Without Limits or Throttling

low severity
Exploit: Not Defined
  • Manifest file: quay.io/argoproj/argocd:v3.2.8/argoproj/argocd Dockerfile
  • Package Manager: ubuntu:25.04
  • Vulnerable module: glibc/libc-bin
  • Introduced through: docker-image|quay.io/argoproj/argocd@v3.2.8 and glibc/libc-bin@2.41-6ubuntu1.2

Detailed paths

  • Introduced through: docker-image|quay.io/argoproj/argocd@v3.2.8 glibc/libc-bin@2.41-6ubuntu1.2
  • Introduced through: docker-image|quay.io/argoproj/argocd@v3.2.8 glibc/libc6@2.41-6ubuntu1.2

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Ubuntu. See How to fix? for Ubuntu:25.04 relevant fixed versions and status.

sha256crypt and sha512crypt through 0.6 allow attackers to cause a denial of service (CPU consumption) because the algorithm's runtime is proportional to the square of the length of the password.

Remediation

There is no fixed version for Ubuntu:25.04 glibc.

References

More about this vulnerability